[pca] A question about how Safe operates.

McGraw, Robert P rmcgraw at purdue.edu
Fri Mar 21 19:19:36 CET 2014


Martin,

Thanks for this detailed explanation. Once thing that I have been doing is
finding the files that are marked as not safe and creating a script that
copies the file to file.pcayymmddhhmmss. I  run this script before I run
any with the --no-safe.

I now understand how I get some files with .new concatenated and some I do
not. I notice that the /etc/passwd file does not see to ever get over
ridden. 

Again thanks very much.


Robert


________________________________________


Robert P. McGraw, Jr.
Unix System Administrator                  EMAIL: rmcgraw at purdue.edu
Purdue University                          ROOM: MATH-807
College of Science                         PHONE: (765) 494-6055
150 N. University Street
West Lafayette, IN 47907-2067






On 3/21/14 7:18 AM, "Martin Paul" <martin.paul at univie.ac.at> wrote:

>Am 20.03.2014 16:46, schrieb McGraw, Robert P:
>> Can someone explain how safe works when patching with ‹no-safe.
>
>At first - keep in mind that PCA does not install patches itself, it
>uses the OS command "patchadd" for that. So PCA is not involved into
>modifying any OS files. What --safe does is documented like this:
>
>"Sometimes a patch re-delivers and silently overwrites files which have
>been modified locally. PCA tries to overcome this issue with its safe
>patch installation mode. Before installing a patch, PCA checks all files
>listed in the patch README for local modifications. If any modified file
>is in danger of being overwritten, a warning is shown and the patch is
>skipped."
>
>PCA collects a list of files delivered in a patch and runs "pkgchk"
>against that list. Like this, comparing the actual file size/mode/etc
>against /var/sadm/install/contents it finds out if a file has local
>modifications. If so, PCA in safe mode will skip the patch.
>
>Often a patch includes special install scripts for files included in the
>patch, which take care that files aren't simply overwritten by patchadd.
>Sometimes the intregrate changes into existing files, leaving local
>modifications alone. Sometimes they install the new file from the patch
>with an extension ".new" and leave it to the admin to integrate the
>changes.
>
>PCA has a white list of patches/files, where it knows that the relevant
>patch includes special handling, to reduce the number of false warnings.
>
>I use PCA like that:
>
>Install all patches with --safe. I then look at all patches which were
>skipped due to safe mode, and find out why. Then install the patches
>without --safe, and react as necessary: re-integrate local changes which
>got overwritten, integrate local changes and changes in *.new files into
>the file in question, etc.
>
>So --safe will just tell you "ohoh, watch out, there *might* be some
>manual intervention required after installing this patch, but I can't
>tell exactly what it is".
>
>Hope that helps,
>Martin.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5791 bytes
Desc: not available
URL: <https://lists.univie.ac.at/pipermail/pca/attachments/20140321/967764fa/attachment.bin>


More information about the pca mailing list